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/2 1 

[Claims] 

[Claim 1] A key distribution method used in cryptographic 

communication, characterized in that it comprises: 

at the key manager device: 

a first step which generates a secret key S and splits that 
secret key S into at least two items of secret information 
Sl-Sn (n > 2) ; 

a second step which distributes offline, to a key user at 
least one item of secret information Si (1 < i < n) of the 
secret information Sl-Sn obtained by said first step; 
at the key user device: 

a third step which generates authentication information. AS 
based on the secret information Si distributed offline by 
said second step and identification information ID provided 
in advance by the key manager, and transmits that 
authentication information AS to the key manager device; 
at the key manager device: 

a fourth step which performs authentication processing of 
the key user based on the authentication information AS 
transmitted by said third step; 

a fifth step which, in the event that the key user was 
authenticated by said fourth step, transmits to that" key- 
user device the secret information other than the secret 
information Si distributed offline to that key user by said 

1 Numbers in the margin indicate pagination in the foreign text. 
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second step, of the secret information Sl-Sn obtained by 

said first step; 

and at the key user device: 

a sixth step which generates said secret key S based on the 
secret information Si distributed of.fline by- said second 
step, and the secret information Sl-Sn other than the secret 
information Si, which was transmitted by said fifth step. 
[Claim 2] The key distribution method recited in Claim 1, 
characterized in that: 

said fifth step, in the event that the key user was 
authenticated by said fourth step, transmits to that key 
user device the secret information other than the secret 
information Si distributed offline to that key user by said 
second step, of the secret information . Sl-Sn obtained .by 
said first step, having encrypted it with said secret 
information Si as a key; 

and id., sixth step , decrypts the encrypted secret 
information Sl-Sn other than the' secret information Si, 
which was transmitted by said fifth step, with said secret 
information Si as a key, and generates said secret key S 
based on the decryption result and said secret information 
Si. 

[Claim 3] The key distribution method recited in Claim 1 or 
2, characterized in that it further comprises: 
at the key user device: 



3 



a seventh step which generates authentication information 
AS' based on the secret key S restored by said sixth step, 
and transmits that authentication information AS' to the key 
manager device; 
at the key manager device:. . 

an eighth step which performs authentication processing of 
the key user based on the authentication information AS' 
transmitted by said seventh step; 

and at the key manager device and/or the key user device: 
a ninth step which, in the event that the key user was 
authenticated by said eighth step, performs billing 
processing of a registration fee for cryptographic 
communication using said secret key S. 

[Claim 4] A key distribution system-comprising- a key 

manager device for generating a key and a key user device 
for performing cryptographic communication using the key 
generated by that key manager device, characterized in that: 
said key manager device comprises: 

a key generating means which generates a secret key S and 
splits that secret key S into at least two' items of secret 
information Sl-Sn (n > 2);' 

a storing means which stores on a storage medium at least 
one item of secret information Si (1 £ i ^ n) of the secret 
information Sl-Sn obtained by said key generating means;* 
a first receiving means which receives authentication 
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information AS transmitted from said key user device; 
an authenticating means which performs authentication 
processing of the key user based on the authentication 
information AS received by said receiving means; 
and a first transmitting means which, in the event that the 
key user was authenticated by said authenticating means, 
transmits to said key user device the secret information 
other than the secret information Si stored on the storage 
medium by said storing means, of the secret information Sl- 
Sn obtained by said key generating, means ; 
and said key user device comprises: 

a reading means which reads said secret information Si from 
the storage medium on which the secret information Si was 
stored by said key manager -device,- --- - : _■■ - - 
an authentication information generating means which 
generates authentication information AS based on the secret 
information Si read by said reading means and identification 
information ID provided in advance by the key manager; 
a second transmitting means which transmits to said- key 
manager device the authentication information AS generated 
by said authentication information generating means; 
a second receiving means which receives the secret 
information Sl-Sn other than the secret information Si, 
which was transmitted by said key manager device; 
and a key restoring means which restores the secret key S 
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generated by said key manager device, based on the secret 
information Si read by said reading means and the secret 
information Sl-Sn other than the secret information Si, 
which was received by said second receiving means". 
[Claim 5] A key distribution system comprising a key 
manager device for generating a key, a key user device for 
performing cryptographic communication using the key 
generated by that key manager device, and a storage medium 
with computing function, characterized in that:, 
said key manager device comprises: 

a key generating means which generates a secret key S and 
splits that secret key S into at least two items of secret 
information Sl-Sn (n > 2) ; 

a storing means which stores on said storage medium with 
computing function at least one item of secret information 
Si (1 < i < n) of the secret information Sl-Sn obtained by 
*=a\d key generating means; 

a first receiving means which receives authentication 
information AS transmitted from said key user device; 

. . /3 

an authenticating means which performs authentication 
processing of the key user based on the authentication 
information AS received by said receiving means ; 
and a first transmitting means which, in the event that the 
key user was authenticated by said authenticating means, 
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transmits to said key user device the secret information 
other than the secret information Si stored on said storage 
medium with computing function by said storing means, of the 
secret information Sl-Sn obtained by said key generating 
means ; ^ - ^ . . 

said key user device comprises: 

a connecting means which connects said storage medium with 
computing function; 

a second transmitting means which transmits to. said key 
manager device the authentication information AS output from 
said storage medium with computing function connected by 
said connecting means; 

and a second receiving means which receives the secret 
information Sl-Sn other than the secret information- Si, 
which was transmitted from said key manager device, and 
outputs it to said storage medium with computing function 
connected by said connecting means; 

and said storage medium with computing function comprises: 
an authentication information generating means: which 
generates authentication information AS based on the stored: 
secret information Si and identification information ID 
provided in advance by the key manager, and outputs it to 
said key user device to which same medium is connected; 
and a key restoring means which restores the secret key's 
generated by said key manager device based on the stored 
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secret information Si and the secret information Sl-Sn other 
than the secret information Si, which was output from said 
key user device to which same medium is connected. 
[Claim 6] An information processing device for distributing. . 
a key to a key. user for performing cryptographic 
communication, characterized in that it comprises: 
a key generating means which generates a secret key S and 
splits that secret key S into at least two items of secret 
information Sl-Sn (n > 2); 

a storing means which stores on a storage medium at least 
one item of secret information Si (1 ^ i ^ n) of the secret - 
information Sl-Sn obtained by said key generating means; 
a receiving means which receives authentication. information 
AS transmitted from the key user device, which was generated 
based on the secret information Si and identification 
information provided in advance to that key user; 
an authenticating means which performs authentication 
processing of the key user based on the authentication 
information AS received by said receiving means; 
and a transmitting means which; in the event that the key 
user was authenticated by said authenticating means, 
transmits to that key user device the secret information 
other than the secret information Si - stored on the storage 
medium by said storing means, of the secret information Sl- 
Sn obtained by said key generating means. 



8 



[Claim 7] The information processing device recited in 
Claim 6, characterized in that it further comprises an 
encrypting means which, in the event that the key user was 
authenticated by said fourth step", encrypts the secret 
information other than the secret information Si stored on 
the storage medium by said storing means, with said secret 
information Si as a key, and outputs to said transmitting 
means . 

[Claim 8] The information processing device recited in 
Claim 6 or 7, characterized in that: 

said receiving means receives authentication information AS' 
generated based on the secret key S, which was received from 
the key user device; 

said authenticating .means performs authentication processing 
based on the authentication processing AS' received by said 
receiving means; 

and it further comprises a billing means which, in the event 
that the key user was authenticated by said authenticating 
means based on the authentication information AS' , stores; 
information of that key user specifying a registration fee 
for cryptographic communication using said secret key S. 
[Claim 9] An information processing device for restoring a 
key based on secret information Sl-Sn (n > 2) obtained by 
splitting a secret key S into at least two parts at a key 
manager device, characterized in that it comprises: 
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a reading means which reads secret information Si (1 ^ i < 
n) stored on a storage medium distributed by the key 
manager; 

an authentication information generating, means, which. ... 
generates authentication information AS based on the; secret ; 
information Si read by said reading means and identification 
information ID provided in advance by the key manager; 
a transmitting means which transmits to the key manager 
device the authentication information AS generated by said; 
authentication information generating means; 
a receiving means which receives the secret information Sl- 
Sn other than the secret information Si, which_ was 
transmitted from the key manager device; .. . 

and a key restoring means which restores the secret- key S 

based on the secret information Si read by said reading 
means and the secret information Sl-Sn other than the secret 
information Si, which was received by said receiving, means . 
[Claim 10] The information processing device recited in 
Claim 9, characterized in that: 

the secret information Sl-Sn other than the secret 

information Si, which was transmitted from the key manager * 
device, is encrypted with the secret information Si as a 
key; ... 

and it further comprises a decrypting means which decrypts 
the encrypted secret information Sl-Sn other than the secret 
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information Si, which was received by said receiving means, 
with the secret information Si read by said reading means as 
a key, and outputs to said key restoring means. 
[Claim 11] The information processing device recited in 
Claim 9 or 10, characterized in that: 

said authentication information generating means generates 
authentication information AS' based on the secret key S 
restored by said key restoring means; 

said transmitting means transmits to the key manager device 
the authentication information AS' generated by said 
authentication information generating means; 

and it further comprises a billing means which, in the event 
that the key user was authenticated by said authentication 
information AS' at the key manager-device, stores : " - :-" — . 
information of that key user specifying a registration fee 
for cryptographic communication using said secret key S. 

Zi 

[Claim 12] A storage medium with computing function 
constituted to as to be installable in a key user device for 
restoring a key based on secret information Sl-Sn (n > 2) 
obtained by splitting a secret" key S into at least two parts 
at a key manager device, and performing cryptographic 
communication using that key, characterized in that it 
comprises: 

an authentication information generating means which 
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generates authentication information AS based on stored 
secret information Si (1 < i < n) and identification 
information ID provided in advance by the key manager, and 
transmits it to the key manager device via the key user 
device to which same medium is connected; 

and a key restoring means which restores said secret key S 
based on the secret information Si which was stored by the 
key manager device, and the secret information Sl-Sn other 
than the secret information Si, which was transmitted by the 
key manager device and was received via the key user device 
to which same medium is connected. 

[Claim 13] The storage medium with computing function 

recited in Claim 12, characterized in that: 

the secret information Sl-Sn other than the secret 

information Si, which was transmitted from the key manager 

device, is encrypted with the secret information Si as a 

key; 

and it further comprises a decrypting means which decrypts 
the encrypted secret information Sl-Sn other than the secret 
information So-; which was received by said key user device 
to which same medium is connected, with the stored secret 
information Si as a key, and outputs to said key restoring 
means . 

[Claim 14] The storage medium with computing function 
recited in Claim 12 or 13, characterized in that: 
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said authentication information generating means generates 
authentication information AS' based on the secret key S 
restored by said key restoring means, and transmits to the 
key manager device via the key user device to which- -same 
medium is connected; _ ; 

and it further comprises a billing means which, in the event 
that the key user was authenticated by said authentication 
information AS' at the key manager device, stores 
information of that key user specifying a registration fee 
for cryptographic communication using said secret key S. 

[Detailed Explanation of the Invention] 

[0001] 

[Field of the Invention] The present invention relates to 
technology for . distributing keys used in cryptographic 
communications to users (for example, recipients of_ . 
cryptographic data) • 

[0002] 

[Prior Art] Generally, secret key cryptography is used when 
large volumes of data are transmitted crypt ographically . In 
secret key cryptography, a key that is common between the 
sender and the recipient (common key) must be used. As 
methods of distribution of common keys, there are copy key 
schemes, individual key schemes, and the like, but in any 
case, conventionally, for example, the secret key 
information is distributed to the recipient by loading the 
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secret key information on an IC card, or the like, and 
distributing offline to the recipient, or by transmitting 
the secret key information to the recipient by cryptographic 
communication, or the like. 

[0003] . ....... : . . . 

[Problems the Invention Attempts to Solve] However, with 
the method which distributes offline by loading the secret 
key information on an IC card, or the like, one can imagine 
the possibility that an unauthorized party may steal this 
storage medium and impersonate the legitimate recipient. 
Also, with the method which transmits the secret key 
information by cryptographic communication, or the like, one 
can imagine the possibility that an. unauthorized party may 
wiretap and crack the secret key : information ~and -impersonate, 
the legitimate recipient. 

[0004] The present invention was created in consideration 
of the above situation, and the purpose of the present 
invention is to reduce the possibility that that secret key 
information may be intercepted by an unauthorized party, and 
to improve the security of cryptographic .communication . 
[0005] 

[Means for Solving the Problems] In order to solve the 
above problem, the present invention is a key distribution 
method used in cryptographic communication, characterized in 
that it comprises: at the key manager device, a first step 
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which generates a secret key S and splits that secret key S 
into at least two items of secret information Sl-Sn (n > 2), 
and a second step which distributes offline to a key user at 
least one item of secret information Si (1 < i < n) of the 
secret information Sl-Sn obtained by said first step; at the 
key user device, a third step which generates authentication 
information AS based on the secret information Si 
distributed offline by said second step and identification 
information ID provided in advance by the key manager, and 
transmits that authentication information AS to the key 
manager device; at the key manager device, a fourth step 
which performs authentication processing. of the key user 
based on the authentication information AS transmitted by 
said third step, and a fifth step which; in the event that : 
the key user was authenticated by said fourth step, 
transmits to that key user device the secret information 
other than the secret information Si distributed ..of f line to 
that key user by said second step, of the secret information 
Sl-Sn obtained by said first step; and at the key user 
device, a sixth step which generates said secret key S based 
on the secret information Si" distributed" "offline by said" 
second step, and the secret information Sl-Sn other than the 
secret information Si, which was transmitted by said fifth 
step, 

[0006] According to the present invention, the key manager 
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divides the secret key S into plural items of secret 
information Sl-Sn, and distributes at least one item of 
secret information Si thereof to the key user offline by 
loading it on a storage medium (including a storage : medium : — ■ 
with computing function such as an IC card) . Also, it is 
made such that the remainder is transmitted online to that 
key user only if the key user was authenticated by the 
authentication information AS created based on the secret 
information Si and the identification information ID given 
to the key user. 

[0007] By doing thus, even if the storage medium 
distributed offline was stolen by an unauthorized party, 
with just that, it does not become the case that the 
unauthorized party has acquired ■ - 

/5 

all of the secret information Sl-Sn necessary for restoring 
the secret key S. Likewise, even if the secret information 
transmitted online was wiretapped by an unauthorized party, 
with just that, it does not become the case that the 
unauthorized party has acquired all- of the secret 
information Sl-Sn necessary for restoring the secret key" S." : 
Therefore, when distributing secret key information, the 
possibility that that secret key information may be " 
intercepted by an unauthorized party can be reduced,' and 
consequently the security of the cryptographic communication 
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can be improved. 

[0008] In the present invention, it may be that said fifth 
step, in the event that the key user was authenticated by 
said fourth step, transmits to* that' key user device^ the 
secret information other than the secret, information Si 
distributed offline to that key user by said second step, of 
the secret information Sl-Sn obtained by said first step, 
having encrypted it with said secret information Si as a 
key; and it also may be that said sixth step decrypts the . 
encrypted secret information Sl-Sn other than the secret 
information Si, which was transmitted, by said fifth step, 
with said secret information Si as a key, and generates said 
secret key S based on the decryption result and said secret 
information Si. 

[0009] By doing thus, the security when the secret 
information Sl-Sn other than the secret information Si is 
transmitted online can be further improved. 
[0010] 

[Modes of Working of the Invention] A mode of working of 
the present invention is explained below. - 

[0011] Fig. 1 is a generalized drawing of a system in which 
the secret key distribution method being one mode of working 
of the present invention is applied. 

[0012] As illustrated, the method of the present mode of 
working is implemented in a system including a key manager 
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device 100 and a key user device 200 which are mutually 
connected by a communication circuit 400, and a storage 
medium with computing function 300 which is constituted to 
be installable in the key manager device 100 and the- key 
user device 200. ■ - v : 

[0013] Fig. 2 shows the generalized functional 
configuration of the key manager device 100. 
[0014] As illustrated, the key manager device 100 is 
constituted by a random number generation component 101, an 
arithmetic component 102, an encryption/decryption component 
103, an authentication component 104, a billing component 
105, a memory 106, and a communication component 107. This 
functional configuration may be realized in. software by 
executing programs having coded the procedures for realizing 
each function in a computer, or it may be made such that it 
is realized in hardware by assembling the logic for 
realizing each function. In the case i"hat it is realized in 
software, it also may be made such that the programs having 
coded the procedures for realizing each function are 
provided to the computer being 'stored on a storage medium 
such as a CD-ROM. 

[0015] The key manager device 100 is provided with a 
mechanism for connecting the storage medium "with computing 
function 300 to be distributed offline to the key user. 
[0016] Fig. 3 shows the generalized functional 
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configuration of the key user device 200. 
[0017] As illustrated, the key user device 200 is 
constituted by a random number generation component 201, a 
prime number generation component 2 02/ an arithmetic 
component 203, an encryption/decryption component 204, a. 
memory 205, and a communication component 206. This 
functional configuration, just as with the key manager 
device 100, may be realized in software by executing 
programs having coded the procedures for realizing each 
function in a computer, or it may be made such that it is 
realized in hardware by assembling the logic for realizing 
each function. In the case that it is realized in software, 
it also may be made such that the programs having coded the 
procedures for realizing each- function are— provided to the 
computer being stored on a storage medium such as a CD-ROM. 
[0018] The key user device 200 is provided with a mechanism 
for connecting the storage medium with computing function 
300 distributed offline from the key manager. 
[0019] Fig. 4 shows the generalized functional 
configuration of the storage medium with computing function 
300. 

[0020] As illustrated, the storage medium with computing 
function 3 00 is constituted by an encryption/decryption 
component 301, an arithmetic component 3 02, and a memory 
303. This functional configuration may be realized in 
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software by executing programs haying coded the procedures 
for realizing each function in an IC card, or it may be made 
such that it is realized in hardware by assembling the logic 
for realizing" each function. 

[0021] Next, the secret key distribution method being the 
first mode of working of the present invention, which is 
implemented in the system explained above, is explained. 
[0022] First, the key manager device 100, following 
instruction by the key manager, generates a random number S 
using the random number generation component 101 and uses 
this as the secret key of the key user. After: that, it 
splits the secret key S into secret information SI and S2 
using the arithmetic component 102, and stores the secret 
key S and the secret information SI and -S2 in- the memory " 
106. Next, the key manager device 100 retrieves the secret 
information SI from the memory 106, and stores this in the 
memory 303 in the storage medium wjt-h computing function 300 
connected to the key manager device 100. 

[0023] The key manager distributes offline to the intended 
user the storage medium with computing function 3 00 on which 
is stored the secret information SI. 

[0024] The key user having received the storage medium with 
computing function 300 on which is stored the secret 
inf ormation SI connects this to the key user device 200. 
[0025] The key user device 200, following instruction by 
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the key user, retrieves the secret information SI from the 
storage medium with computing function 3 00, and uses the 
secret information SI along with identification information 
ID of that key user provided, in advance by the key manager - 
in order to perform - ' . - . ' 

/6 

authentication processing with the key manager device 100. 
[0026] There are various methods for authentication 
processing, but here, for example, a case when using the RSA 
signature scheme and a case when using the ElGamal signature 
scheme are explained. 

[0027] First, the case when using the RSA signature scheme 
is explained. 

[0028] The key user device 200, following- instruction by : 
the key user, creates in advance the information below using 
the random number generation component 2 01, the prime number 
generation component 202, and the arithmetic component 203, 
and stores it in the memory 205. 
[0029] 
[Eq. 1] 
Eq. 1 

• Secret information p, q: prime numbers 

• Signing key (d, n) , d <element> Z, n = pq" ""' . . 

• Verification key (e, n) , e <element> Z, n = pq ... (Eq. 1) 
[0030] Here, the signing key is secret and the verification 
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key is public. The key user device 200 outputs to the 
storage medium with computing function 300 the signing key, 
and the identification information ID of that key user 
provided in advance by the key manager which was input by 
the key user. On receiving this, the storage medium with' ■ 
computing function 300 <text moved up from [0032] > computes 
the authentication information AS from 

[0031] 

[Eq. 2] 
Eq. 2 

AS = S' d (mod n) ... (Eq. 2) 

[0032] <text moved down from [0030] > using the arithmetic 
component 302. Here, S' is. a. value, of.. a prescribed, function 
(for example, a hash value) -with the secret information SI 
and the identification information ID as input. Next, the 
storage medium with computing function 3 00 outputs the 
authentication information AS i-n the key user device 200. 
On receiving this, the key user device 2 00 transmits the 
authenticating information AS using the communication 
component 2 06 to the key manager device 100 via the 
communication circuit 400. 

[0033] The key manager device 100, when receiving the 
authentication information AS'* by. the communication component 
107, <text moved up from [0035] > verifies whether or not 
[0034] 
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[Eq. 3] 
Eq. 3 

S' = AS e (mod n) ... (Eq. 3) 

[0035] is established <text moved down from [0033] > using 
the authentication component 104, : and if it is established, 
it is authenticated that the key user of the key user device 
200 having sent the authentication information AS is a valid 
user. The key manager device 100 stores in the memory 106, 
in correspondence, the identification information ID 
provided to the key user and the secret information SI 
stored on the storage medium with computing function 300 
distributed offline to that user. 

[0036] Next, the case when using the ElGamal signature 
scheme is explained. 

[0037] The key user device 200, on instruction by the key 
user, generates a prime number p using the prime number 
generation component 202. <text moved up from [0039] > and 
generates ot satisfying 

[0038] 

[Eq. 4] 
Eq. 4 

or dp (a) = p-l...(Eq. 4) 

[0039] < text moved down from [0037] > using the arithmetic 
component 202; Also, it outputs the generated a and : the 
prime number p to the storage medium with computing function 
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300. On receiving this, the storage medium with computing 

function 300 <text moved up from [0041] > computes y 

satisfying 

[0040] 

[Eq. 5] 

Eq. 5 

y = a s ' (mod p) ... (Eq. 5) 

[0041] <text moved down from [0039] > using the arithmetic 
component 302, and sets the signing key as (x, a, p). and the 
verification key as (y, oc, p) . Here, S' is a value of a 
prescribed function (for example, a hash value) with the 
secret information SI and the identification information ID 
as input . 

[0042] Next, the key user device 200 generates a random 
number k relatively prime to p - 1 using the random number 
generation component 201, <text moved up from [0044] > and 
computes r satisfying 
[0043] 
[Eq. 6] 

Eq. 6 . o 

r = a k (mod p) ... (Eq. 6) 

[0044] Furthermore, it generates a suitable message m using 
the random number generation component' 2 01', and outputs it . 
to the storage medium with computing function 3 00 together- 
with r, k. On receiving this, the storage medium with 
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computing function 300 <text moved up from [0046] > computes 
t satisfying 

[0045] 

[Eq. 7] 

- ----- - - - - ■ - ■ -/7 

Eq. 7 

t = (m - S'r)k _1 (mod p - 1) ... (Eq. 7) 

[0046] <text moved down from [0044] > using the arithmetic 
component 302. Also, with (r, t) as the signature for the. 
message m, it outputs the message m and the signature (r, s) 
to the key user device 200. On receiving this, the key user 
device 200 transmits the message m and the signature (r, s) 
using the communication component 2 0.6 to the key manager 
device 100 via the communication circuit -400 
[0047] The key manager device 100, when receiving the 
message m and the signature (r, s) , <text moved up from 
[0049] > verifies whether or not 
[0048] 
[Eq. 8] 

Eq. 8 „ 
a m = yV^mod p) ... (Eq. 8) 

[0049] is established <text moved down from [0047] > using 
the authentication component 104, and if it is established, 
it is authenticated that the key user of the key user device 
200 having sent the message m and the signature (r, s) is a 
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valid user. The key manager device 100 stores in the memory 
106, in correspondence, the identification information ID 
provided to the key user and the secret information SI 
stored on the storage medium with computing function 300. 
distributed offline to that user. 
[0050] If the key user is authenticated by the 
authentication processing explained above, the key manager 
device 100 encrypts the secret information S2 with the 
secret information SI as a key using the 

encryption/decryption component 103. Also, it transmits the 
encrypted secret information S2 using the communication 
component 107 to the key user device 200 via the 
communication circuit 400. 

[0051] The key user device 2 00, when receiving- the : 
encrypted secret information S2, outputs this to the storage 
medium with computing function 300. On receiving this, the 
storage medium with computing function 300 decrypts the 
encrypted secret information S2 with the secret information 

51 as a key using the encrypt ion/decrypt ion component 3 01, 
and stores it in the memory 303. Furthermore, it restores 
the original key S based on the decrypted secret information 

52 and the secret information SI using the arithmetic 
component 302, and stores it in the memory 303. 

[0052] Next, the key user device 200, following instruction 
by the key user, retrieves the secret key S from the storage 
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medium with computing function 3 00 and uses this secret key 
S to perform authentication processing by the same procedure 
as above with the key manager device 100. 

[0053] In the case when using the RSA signature' scheme, the 
secret key S should be used in place of S' in the above (Eq. ■ 
2) and (Eq. 3) . Also, in the case when using the ElGamal 
signature scheme, the secret key S should be used in place 
of S' in the above (Eq. 5) and (Eq. 7) . 

[0054] If the key user is authenticated, the key manager 
device 100 generates registration fee information (billing 
information) for cryptographic communication using the 
secret key S for that user using the billing component 105, 
and stores this in the memory 106.. This information is 
utilized on the occasion of invoicing that-key user. : 
[0055] When the secret key S is distributed to the key user 
by the above processing, the key user performs cryptographic 
communication with an inf ormation provider using the secret 
key S. Or, after having performed key sharing with an 
information provider using the secret key S, one performs 
cryptographic communication using that shared key. 
[0056] Here; a system for performing cryptographic ' 
communication between a key user and an information provider 
in the case when the key manager and the information 
provider are identical is shown" in Fig". 5. As illustrated, 
the information provider device 500 performs cryptographic 
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communication with the key user device 200 of that user, 
using the secret key S distributed to the key user by the 
key manager device 100. 

[0057] In the present mode of working, the key manager ' 
splits the secret key S into secret information SI and S2_, 
and distributes the secret information SI offline to the key 
user being loaded on a storage medium (including a storage 
medium with computing function such as an IC card) . Also, 
it is made such that the secret information S2 is 
transmitted online to that key user only if the key user was 
authenticated by the authentication information AS created 
based on the secret information SI and the identification 
information ID given to the key user. 
[0058] By doing thus, even if the- storage^medium 
distributed offline was stolen by an unauthorized party, 
with just that, the unauthorized party cannot acquire all of 
the secret information SI and S2 necessary for restoring the 
secret key S. Therefore, when distributing secret key 
information, the possibility that that secret key 
information may be intercepted by ; an unauthorized party can 
be reduced, and consequently the security of the 
cryptographic communication can be improved. 
[0059] Also, in the present mode of working, the key 
manager device 100, in the event that the key user was 
authenticated by the authentication information AS created 
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based on the secret information SI and the identification 
information ID given to the key user, transmits the secret 
information S2 to the key user device 2 00, having encrypted 
it with the secret information SI as a key, and the key user 
device 200 decrypts the encrypted secret information S2 with 
the secret information SI as a key, and restores the secret 
key S based on the decryption result and the secret key SI. 
By doing thus, the security when the secret information S2 
is transmitted online can be further improved. 
[0060] In the above mode of working, a case when the secret 
key S was split into two items. of secret information SI and 
S2 was explained. However, the present invention is not 
limited to this, and it may be made such that the .secret key 
S is split into 

/8 

at least two items of secret information Sl-Sn. In this 
case, it should be- made such that at least one item thereof 
is distributed offline and the remainder is ! transmitted 
online using a communication circuit. 

[0061] Also, in the above jnode of working, -a case when it 
was made such that the billing information is stored in the 
memory 106 in the key manager -device 100 by- the billing 
component 105 of the key manager device 100 was explained, 
but the present invention is not limited . to - this . - " For - " 
example, it also may be made such that the billing component 
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105 is provided in the key user device 200 or the storage 
medium with computing function 3 00 instead of being provided 
in the key manager device 100, and the billing information 
is stored in the memory 205 in the key user'device 200 or 
the memory 303 in the storage medium with computing function . 
300- This information is uploaded to the key manager server 
100 for utilization on the occasion of invoicing the key 
user . 
[0062] 

[Effect of the Invention] As explained above, according to 
the present invention, when the key manager distributes 
secret key information to the key user, the possibility that 
that secret key information may be - intercepted by an 
unauthorized party can be reduced, .and .consequently, the ...... 

security of the cryptographic communication can be improved. 

[Brief Explanation of the Drawings] 

[Fig. 1] is a generalized drawing of a system in which the 
secret key distribution system being one mode of working of 
the present invention is applied. 

[Fig. 2] is a generalized drawing of the functional 
configuration of the key manager device 100 shown in Fig. 1. 

[Fig. 3] is a generalized drawing of the functional 
configuration of the key user device 200 shown in Fig. 1. 

[Fig. 4] is a generalized drawing of the functional 
configuration of the storage medium with computing function 
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300 shown in Fig. 1. 

[Fig. 5] is a generalized drawing of a system for performing 
cryptographic communication between a key user and an 
information provider in a case when the key manager and the 
information provider are identical.;- : 
[Explanation of the Symbols] 
100 Key manager device 

101, 2 01 Random number generation component 

102, 203, 302 Arithmetic component 

103, 2 04, 3 01 Encryption/decryption component 

104 Authentication component 

105 Billing component 

106, 205, 303 Memory 

107, 2 06 Communication component 
20 0 Key user device 

2 02 Prime number generation component 

300 Storage medium with computing function 

400 Communication circuit 

500 Information provider device 
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100 Key manager device 
2 00 Key user device 

100 -> 200 -> 400 Cryptographic communication 

2 00 -> 100 -> 400 Authentication processing - 

3 00 Storage medium with computing function 
400 Communication circuit 
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101 Random number generation component 

102 Arithmetic component 

103 Encryption/decryption component" 

104 Authentication component " 7 

105 Billing component 

106 Memory 

107 " CcruUiurircation component 

3 00 Storage medium with computing function 
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2 01 Random number generation component 

2 02 Prime number generation component 

2 03 Arithmetic component 

2 04 Encryption/decryption component 

2 05 Memory 

206 Communication component 

3 00 Storage medium with computing function 
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3 01 Encryption/decryption component 
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3 03 Memory 
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100 Key manager device 

2 00 Key user device 

400 Communication circuit 

500 Information provider device 

<above left box> Key manager/ information provider 
<above right box> User 

<below right box> Cryptographic communication 
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